ZSA-2026-09

Date: 2026-05-27
Affected: All versions of Znuny LTS from 6.5.1 up to including 6.5.20.
All versions of Znuny from 7.3.1 up to including 7.3.2.
All versions of Znuny 6.0, 6.1, 6.2, 6.3, 6.4, 7.0, 7.1, and 7.2.
Severity: medium
CVE: CVE-2025-59490

The fix for the Reflected Cross-Site Scripting (XSS) vulnerability published as ZSA-2026-02 (CVE-2025-59490) was incomplete. The sanitization could be bypassed by using scrambled (obfuscated) script tags, again allowing attackers to inject arbitrary JavaScript via unfiltered URL parameters that are reflected into the response. When a crafted malicious URL is delivered to a victim (e.g., via phishing or social engineering) and subsequently accessed, the payload executes in the victim's browser within the security context of their session.

This follow-up fix completes the mitigation that was initially introduced in Znuny LTS 6.5.19 and Znuny 7.3.1.

Fixed in: Znuny LTS 6.5.21 and Znuny 7.3.3